Data Protection and Privacy Policy

1. Introduction

Guinea Insurance Plc is an insurance outfit licensed by the National Insurance Commission (NAICOM) to underwrite general business insurance services in Nigeria.

In line with our commitment and compliance with the Nigeria Data Protection Regulation (NDPR) 2019, we have developed our Data Protection & Privacy Policy (DPPP).

The Policy emphasizes our commitment to, at all times, ensure that we gather, store and handle data fairly, transparently and with respect towards Data Subjects rights.

Consequently, Management have nominated and appointed a Data Protection Officer, who has been approved by the Board, to ensure adherence to the Regulation, relevant data privacy instruments and data protection directives of the company.

2. Data Protection Officer (DPO) Structure

Name: Ronke Olaleye
Email: rolaleye@guineainsurance.com
Tel: +234-805-970-1111

Job Description:

  • Inform and advise Management and employees about their obligations to comply with the NDPR
  • Manage the Company’s internal data protection activities
  • Handle data privacy requests from Data Subjects
  • Prepare data protection training plan for employees and management

    and subsequently conduct and arrange internal & external trainings

  • Advise on Data Protection Impact Assessment
  • Monitor company-wide compliance with the NDPR
  • Act as the first point of contact for NITDA

3. Roles and Responsibilities of Employees and Directors

In compliance with the NDPR, we have identified key stakeholders and their responsibilities to drive the operationalisation of the Policy and implementation of necessary data protection controls.

Board

  • Set the tone at the top on data protection and privacy
  • Approve all Policies, Program, Processes and Procedures regarding the implementation of the NDPR
  • Provide effective governance functions on NDPR compliance obligations

Management:

  • Ensure that data protection objectives are established and are aligned with the strategic direction of the company
  • Ensure that the resources needed for the protection of Personal Data are available
  • Communicate the importance of effective data protection in the company and of conforming to its requirements
  • Ensure that the company meets the obligations of the Regulation

Employees

  • Fully comply with the policy
  • Report any data breach to the DPO within 24 hours of being aware of it

4. Data Protection Governance

When we collect and process personal information of our Data Subjects, we ensure that such data are obtained and used in accordance with the extant data protection regulation in Nigeria. We handle Personal Data with the greatest care and use it only for legitimate and specified business purposes.

We are guided by the following principles when handling Personal Data:

  • Lawfulness, Fairness and Transparency
    We process the Personal Data of Data Subjects based on consent, contract, legal obligation, vital interests, public task or legitimate interest. Where data is processed based on the Data Subject’s consent, evidence of opt-in consent are kept with the Personal Data.
  • Purpose Limitation
    We collect Personal Data of Data Subjects for specified, explicit and legitimate purposes.
  • Data Minimization
    We only process adequate data for relevant purposes and in a limited capacity.
  • Accuracy
    We maintain accurate data that is incessantly kept up to date. Similarly, inaccurate Personal Data is either erased or promptly rectified.
  • Storage Limitation
    We keep Personal Data of our Data Subjects in a form that permits identification of Data Subjects for no longer than is necessary and for the purposes which the Personal Data are being processed.
  • Integrity and Confidentiality
    We protect Personal Data by implementing appropriate technical and organisational measures to ensure appropriate security, in order to safeguard the rights and freedom of Data Subjects.
  • Accountability
    We hold ourselves accountable to demonstrate compliance with applicable legal and regulatory requirements and understand our roles and responsibilities for efficient data protection.

 

Ultimately, our policy is implemented in other to abide by the NDPR issued by NITDA and to assist the agency in fostering safe conduct of transactions involving the exchange of Personal Data by customers/clients of both public and private organisations in Nigeria.

5. Data Security and Storage

In order to safeguard Personal Data of Data Subjects, we apply the following information security measures:

Network Access Control
To prevent unauthorised access that may lead to data breach through our network, only devices on our access control lists have the permission to utilise our networks.

Intrusion Prevention System
In order to protect Personal Data and sensitive information, we have implemented an Intrusion Prevention System in the form of a firewall solution. Our firewall solution protects our network and connected systems from malicious attacks and hacking from cybercriminals by filtering and blocking unwanted data packets from accessing our computer network.

Our Next-Gen firewall solution has a pre-emptive approach to network security as it is able to identify potential threats and respond to them swiftly.

When a threat is detected, the firewall solution deploys a lateral movement protection defence response, which isolates the threat from spreading, system from communicating with other systems or back to the host.

Endpoint Security System
We have installed, an endpoint protection system that combines antimalware, Data Loss Prevention (DLP), firewall, application and device control as well as a host- based intrusion prevention system.

This also offers website browsing protection and filtering, email protection (such as anti-spam) and patch assessment.

Our endpoint protection system offers protection from zero-day attacks and drive-by downloads, includes root cause analysis and anti-exploit technology to minimize damage from breaches, and incorporates CryptoGuard to protect against ransomware.

Data Backup
Backups in our organisation are on a daily basis and done automatically. Backups are encrypted with industry standard solution and backed up data can only be accessed by authorised personnel for control purposes.

Offsite Protection
Our devices are also protected for offsite use, as we support our staff working remotely. Our endpoint security system extends to registered devices which can communicate over the internet only through our Virtual Private Network. This means that our staff can work from any location with their provided devices and are still under the security controls applicable to those within the organisation premises.

Physical Security
To mitigate the threat of data loss that could arise from a physical breach at our premises, we have, apart from human security services deployed, the use of CCTV and round the clock surveillance systems in strategic locations.

Our data centre has access control via cards for authorised personnel only. Documents stored in hard copies are secured in a code-enabled cabinet and accessible to only authorised personnel who keep logs of collected and returned documents.

Fire alarm systems are also present in the case of arson or accidental fire outbreak.

Our information security policies and practices apply to all personal information in our custody.

6. Third Party Data Processing

Disclosure to Employees

Employees have access to, and process Personal Data based upon a “need to know” basis in order to do their job. We regularly check who has access to our systems and data.

Disclosure to Third Parties

We may disclose Data Subject’s Personal Data to these categories of third parties:

  • Our service providers and agents e.g. IT companies who support our technology, marketing agencies, research specialists, tax advisers etc.
  • Our professional advisers: auditors; reinsurers; and legal advisers
  • Clients who provide us with Data Subject’s Personal Data.
  • Persons legally authorised to act on our behalf e.g. Lawyer, Insurance Broker and loss adjusters, etc.
  • Nigerian Insurance Industry Database (NIID)
  • Nigerian Insurers Association (NIA)
  • Individuals nominated and authorised by the Data Subject to engage us on his/her behalf.
  • Disclosure to Credit referencing organisation to obtain information which may be used by Guinea Insurance Plc to determine its risk selection, pricing and underwriting decisions.
  • Regulatory and law enforcement agencies.
  • Customer relationship management.
  • Independent customer satisfaction survey providers.
  • Financial organisations and advisers.
  • Government and its agencies.
  • Selected third parties in connection with the sale, transfer or disposal of the business or in connection with employee assessment, academic records verification and employee well-being survey.

The above disclosures to the third party shall be made only to the extent necessary for the specific purpose for which the data is provided. The third party shall be informed of the confidential nature of such information and shall be directed to keep the Data Subject’s information strictly confidential.

7. Data Privacy Breach

All employees are obligated to bring to Management’s notice any breach occurrence which shall in turn be reported to NITDA within 72 hours of knowledge of the breach.

The notification of data breach to NITDA shall include the following information:

  • A description of the circumstances of the loss or unauthorised access or disclosure
  • The date or time period during which the loss or unauthorised access or disclosure occurred
  • A description of the personal information involved in the loss or unauthorised access or disclosure
  • An assessment of the risk of harm to individuals as a result of the loss or unauthorised access or disclosure
  • An estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorised access or disclosure
  • A description of any steps the organization has taken to reduce the risk of harm to individuals
  • A description of any steps the organization has taken to notify individuals of the loss or unauthorised access or disclosure, and
  • The name and contact information of the DPO in order to answer, on behalf of the organisation, the Agency’s questions about the loss of unauthorised access or disclosure

8. Internal Sanctions

All employees are enjoined to ensure that they do not indulge in activities that can result in the compromise or breach of data. In addition, it is the responsibility of everyone to adhere to the dictates of this policy.

Failure to comply with this policy, whether or not intentional, will lead to disciplinary action (up to and including dismissal).

9. Transfer to a Foreign Country

Data Subjects’ personal information may be transferred to a third party in a foreign country which has adequate data protection laws for data transfer, to be determined by NITDA. Data Subjects are informed of the appropriate safeguards for data protection in the foreign country.

Where NITDA has not determined the third-party country, the Data Subject’s personal information may be transferred to a third party in a foreign country in the following circumstances:

  • The Data Subject has consented to the proposed transfer after having been informed of the possible risks of such transfers.
  • The transfer is for the performance of a contract between the Data Subject and Guinea Insurance Plc.
  • The transfer is for the performance of a contract concluded in the interest. of the Data Subject between Guinea Insurance Plc and another natural or legal person.
  • The transfer is for public interest.
  • The transfer is for the establishment exercise or defence of legal claim.
  • The transfer is to protect the vital interest of the Data Subject or other persons, where the Data Subject is physically or legally incapable of giving consent.
  • Receipt of the privacy policy of the third party to guarantee the safeguard and protection of the Personal Data of the Data Subject in the custody of the third party.

10. Awareness and Training

Ultimately, our employees are the most important element of our commitment to the protection of our Data Subjects’ Personal Data. Our employees are involved in every step of the data lifecycle, including sourcing and receiving Personal Data, processing it in compliance with laws and regulations, employing safeguards, and establishing the means and schedules of retention and deletion. It is therefore imperative that employees understand their role and be committed to safeguarding Personal Data.

Our data protection training programme is designed to be relevant and focused on concrete risks. More importantly, we conduct data protection trainings for employees and directors bi-annually; and run regular data protection and information security awareness campaigns. We also share, with employees, other knowledge resources on data protection and privacy, including guidance on ways they can better protect and safeguard Personal Data.

It is important that employees understand the significance of protecting Personal Data and respecting privacy rights, with the ability to relate this back to the risks and consequences from an individual perspective.

We remain committed to our goal of ensuring that employees and other stakeholders understand their respective roles and responsibilities for compliance with the NDPR.

11. Data Protection Impact Assessment (DPIA)

At the advent of any project that would involve processing sensitive/high risk data, a data protection impact assessment is conducted. This is to identify possible areas where breaches may occur and device means of minimising the data protection risks. We also conduct periodic DPIA on our processes, services and technology to ensure continuous compliance with the NDPR.

Our DPIA takes the following form:

  • It describes the nature, scope, context and purposes of the processing;
  • It accesses necessity, proportionality and compliance measures;
  • It identifies and assesses risks to Data Subjects; and
  • It identifies any additional measures to mitigate those risks.

The level of risk is accessed by considering both the likelihood and the severity of any impact on our Data Subjects.

The Risk Management department is responsible for conducting DPIA.

12. Internal Audit

We conduct bi-annual internal audit of our privacy and data protection practices, in accordance with the NDPR. The Internal Audit department is responsible for conducting the internal audit. However, the Data Protection Officer is responsible for monitoring compliance with the Regulation.

13. Privacy Policy

At Guinea Insurance Plc, the privacy of our Data Subjects’ Personal Data is of utmost importance to us. In line with our resolution, we have developed this Privacy Policy to help you understand how we may process any personal information obtained from you and to explain your privacy rights.

This Privacy Policy therefore constitutes our commitment to your privacy on all our platforms. It is designed to provide information regarding our privacy practices.

1. Consent

By providing your personal information to us, you have signified your acceptance of our Privacy Policy and agree that we may collect, use and disclose your personal information for specified purposes as described in this Privacy Policy.

2. What Personal Data do we collect?

The personal data we process depends on Data Subjects’ relationship with the company. Generally, we may process the following:

  1. Personal Identification Information – When filling out a proposal form, we will request for your full name, date of birth, age, nationality, gender, signature, utility bills, photographs, phone number, home address, and email address.
  1. Formal Identification Information – These include National Identification Number (NIN), International Passport details, Drivers’ License details, Voter’s card details.
  1. Online Identifiers – Browser fingerprint, Operating System (OS), browser name and version, and/or personal IP addresses.
  1. Financial Information – We may process information related to payments that Data Subjects make or receive in the context of an insurance policy or claim. These include information such as Bank Verification Number (BVN) and information obtained from credit reference agencies.
  1. Contractual Information – We may process details about the policies a data subject holds and with whom the data subject holds them.
  1. Health Information – We may process medical related issues relevant to a policy the data subject holds or a claim the data subject has made.
  1. Other Sensitive Personal data – These include health background / information, marital status, criminal history record, biometric details, academic records, gender, etc.

We also collect personal data in the following ways:

  • Information from our social media sites: We may collect information through your engagement with us on our social media sites (Facebook, Instagram, LinkedIn, Twitter, Whatsapp) This includes your replies to our posts, your comments, enquiries and support messages. However, we will only ask for information required to help us be of service to you.
  • Other information we collect related to your use of our site or services: We may collect additional information from or about you when you contact us with an enquiry, register on the site, request us to provide you with information, request a quote or take advantage of a promotion.
  • Third Parties: We may also receive your information from third parties such as financial institutions and service providers.
  • Job Application: When you apply for a job with us, we will request Personal Data about your education, employment and state of health. As part of your application, you will be asked to provide your express consent to our use of this information to assess your application and any monitoring activities which may be required of us under applicable laws as an employer.

We may also carry out screening checks (reference, background and criminal record checks).

We may exchange your Personal Data with academic institutions, recruiters, health maintenance organisations, law enforcement agencies, referees and your previous employers.

Without your Personal Data, we may not be able to process your application for positions with us.

We do not collect the information of minors.

If you are below 18, do not provide us with your personal information.

Why Do We Collect your Personal Data?

Guinea Insurance Plc will obtain your consent before using and processing your data for one or more specific purposes made known to you. We collect your personal data to provide you an efficient and secure customer experience. Specifically, we may use your personal data for several reasons such as:

  • Underwriting our business with you
  • Managing claims
  • Assessing, improving and developing our services
  • Enhancing our knowledge of risk and insurance markets in general
  • Fulfilling legal or regulatory obligations and protecting ourselves and you against fraud. Such regulators include NAICOM, Nigerian Financial Intelligence Unit (NFIU) and other relevant regulatory agencies.
  • For the protection of public interest such as investigation of fraudulent claims and Anti-Money Laundering/ Combating the Financing of Terrorism (AML/CFT) compliance checks.
  • For archiving purposes in the public interest or statistical purposes.
  • For the purpose of assessment of proposed Data Subjects’ employability and other employee benefits-related purposes.
  • Market our products and services to you. We will not send unsolicited marketing communications to you by SMS or email if you have not opted in to receive them. Additionally, you can withdraw your consent at any time and free of charge.

3. What are our Collection Methods?

Typically, we receive personal data directly from you. However, we may also receive personal data from third parties such as our corporate clients. The following are methods through which we collect personal information:

Direct collection:

  • Know Your Customer (KYC) forms
  • Claim forms
  • Forums and feedback forms
  • Enquiry and Quote forms
  • Recorded telephone conversations
  • Digital touch points
  • Electronics means (emails and apps)
  • Employee engagement personal data forms (inclusive of medical report)

Third party’s data collection source:

  • Individuals or employers with policies with Guinea Insurance Plc under which a data subject is insured i.e. a named individual within a group life insurance policy.
  • Credit reference agencies including credit ratings.
  • Family members in the event of incapacitation or death of the insured for purpose of claims payment
  • Medical professionals and hospitals
  • Aggregators
  • Loss adjusters, claim assessors, etc.

In the case of data obtained from third party source, a copy of your consent given to the third party to transfer the data to Guinea Insurance Plc shall suffice for our use and processing.

4. How We Use Cookies

Cookies are small files placed on your device’s browser that enables the website to identify your device as you view different pages. We use cookies to track browsing history of visitors to improve their experience.

Our website provides visitors an option to accept the use of cookies during their browsing session. Consent is received before any form of data processing can be performed. Every consent given by a data subject is kept secured as evidence that consent was received.

Certain aspects of our website are only available through the use of cookies, so your use of our website may be limited or not possible if you choose to disable or decline cookies.

5. Record Retention Period

We retain Personal Data for at least five (5) years after your relationship with us has ended in order to fulfil the relevant purposes set out in this policy and to comply with our legal and regulatory obligations. We may retain Personal Data for longer periods if it is in our legitimate business interests and required to comply with applicable laws. We will continue to use and disclose such Personal Data in accordance with this Privacy Policy.

6. Sharing your Personal Data

We may share your Personal Data or other information about you with others for the following reasons:

  • With other companies that provide services to us: We may share Personal Data with third-party service providers that perform services and functions at our direction and on our behalf. These third-party service providers may, for example, provide you with services, verify your identity or provide customer support.
  • With other third parties for our business purposes or as permitted or required by law: We may share information about you with other parties for our business purposes or as permitted or required by law, including:
    1. if we need to do so to comply with a law, legal process or regulations;
    2. to law enforcement authorities or other government officials, or other third parties pursuant to a court order or other legal process or requirement applicable to us or our corporate family;
    3. with credit agencies and data processors for credit reference checks and anti-fraud and compliance purposes;
    4. to investigate violations of or enforce a user agreement or other legal terms applicable to any service;
    5. to companies that we plan to merge with or be acquired by; and
    6. to support our audit, compliance, and corporate governance functions.
  1. With your consent: We also will share your Personal Data and other information with your consent or direction.

7. What Are Your Rights?

I. Requests to Access, Rectify or Erase

1. Access Request

You have the right to ask us whether we hold any Personal Data relating to you and, if we do, to be provided with a copy of that Personal Data in electronic form, unless you want to receive it in another way (for example, a paper copy). In addition, you can ask us for information on how we use your Personal Data, who we share it with, how long we keep it, where it is stored, and other information to help you understand how we use it.

2. Rectification Request

You have the right to ask us to correct your Personal Data (including by means of providing a supplementary statement) if it is inaccurate and to have incomplete Personal Data updated without undue delay. If we cannot correct the Personal Data, we include a note on our files regarding your request to correct your Personal Data.

3. Erasure Request

You have the right to ask us to erase your Personal Data if:

  • Your Personal Data are no longer necessary for the purpose(s) they were collected for
  • Your Personal Data have been unlawfully processed
  • Your Personal Data must be erased to comply with a regulation
  • You withdraw your consent for the processing of the Personal Data (and if this is the only basis on which we are processing your Personal Data)
  • You object to processing that is based on our legitimate interests, provided there are no overriding legitimate grounds for continued processing, or
  • You object to processing for direct marketing purposes.

If we have made the Personal Data concerned public, we will also take reasonable steps to inform other data controllers processing the data so they can seek to erase links to or copies of your Personal Data.

We may refuse to act on your request to erase your Personal Data if the processing of your Personal Data is necessary:

  • To exercise our right of freedom of expression and information
  • To comply with the NDPR and relevant Nigerian laws
  • For the performance of a task carried out in the public interest or to exercise official authority vested in us
  • To establish, exercise or defend legal claims.

In these cases, we can restrict the processing instead of erasing your Personal Data if requested to do so by you.

II. Requests to Object

You have the right to object at any time to the processing of your Personal Data if we process it based on our legitimate interests. This includes any so-called “profiling”. Our privacy notice informs you when we rely on legitimate interests to process your Personal Data. In these cases, we will stop processing your Personal Data unless we can demonstrate compelling legitimate reasons for continuing the processing. We may reject your request if the processing of your Personal Data is needed to establish, exercise or defend legal claims. You have the right to object at any time if we process your Personal Data for direct marketing purposes. You may also object at any time to profiling supporting our direct marketing. In such cases, we will stop processing your Personal Data when we receive your objection.

III. Requests to Restrict

You have the right to ask us to restrict the processing of your Personal Data if:

  • You contest the accuracy of your Personal Data and we are in the process of verifying the Personal Data we hold
  • The processing is unlawful and you do not want us to erase your Personal Data
  • We no longer need your Personal Data for the original purpose(s) of processing, but you need them to establish, exercise or defend legal claims and you do not want us to delete the Personal Data as a result, or
  • You have objected to processing carried out because of our legitimate interests while we verify if our legitimate grounds override yours.

If processing is restricted, we may process your Personal Data (except for storage purposes), only:

  • If you have given us your consent
  • For establishing, exercising or defending legal claims
  • For protecting the rights of another natural or legal person, or
  • For reasons of important public interest as defined under the NDPR and relevant Nigerian laws

Once processing is restricted following your request, we will inform you before we lift the restriction.

IV. Requests for Portability

You have the right to ask that we transfer any personal information that you have provided to us to another third party. Once transferred, the other party will be responsible for safeguarding such personal information.

Even if you request the portability of your Personal Data, you retain your right to also request their erasure.

V. Requests to Object to Automated Decisions

Generally, you have the right to object to any decision producing a legal effect concerning you or which otherwise significantly affects you if this is based solely on the automated processing of your Personal Data. This includes automated decisions based on profiling.

We may refuse your request if the decision in question is:

  • Necessary to enter into a contract with you, or for the performance of your contract with us
  • Permitted by regulations, or
  • Based on your explicit consent.

We will only make decisions relying solely on automated processing that involve your sensitive Personal Data if you have given your explicit consent or the processing is necessary for reasons of substantial public interest, based on the NDPR and relevant laws.

8. How Do We Protect Your Personal Data?

We maintain technical, physical, and administrative security measures designed to provide reasonable protection for your Personal Data against loss, misuse, unauthorised access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our premises, CCTV cameras for public safety and quality control as well as information access authorisation controls. While we are dedicated to securing our systems and services, you are responsible for securing and maintaining the privacy of your password(s) and account/profile registration information and verifying that the Personal Data we maintain about you is accurate and current.

We will inform you of any breaches which may affect your Personal Data.

9. Remedies for Violation and Timeframe for Remedy

In the event of violation of this policy, our Data Protection Officer shall within 7 days redress the violation. Where the violation pertains to the disclosure of your Personal Data without your consent, such information shall be retracted immediately, and confirmation of the retraction sent to the you within 48 hours of the redress.

10. Contact Us

If you have any general questions or concerns about this Privacy Policy or the way in which we handle your Personal Data, kindly contact us via the details below:

GUINEA INSURANCE PLC
33, Ikorodu Road Jibowu, Lagos
Email: rolaleye@guineainsurance.com
Tel: +234-805-970-1111

Start Today to Secure Your Future

We have products to help you protect various aspects of your life from personal needs to your business needs. Get a quote or learn more.

Guinea Insurance Company Limited became operative from December 3, 1958. The Overseas shareholders held 51% majority shares before the indigenization decree of 1976, reversed the holding to 60% Nigerian interest, 40% overseas.

The Overseas Shareholders divested their 40% holding to existing Nigerian Shareholders in 1988 thereby making the Company 100% Nigerian.

Contact

Guinea Insurance House
33 Ikorodu Road Jibowu, Lagos.

Copyright © 2020 Guinea Insurance Company Limited RC1808. Authorised & Regulated by the National Insurance Commission RIC N0. - 017